Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for correlating network session and file information, the method comprising: receiving packet data at a receiver module, the packet data comprising a network communication session; identifying a portion of the packet data representing a file being transferred over the network between a source and a destination; associating the identified portion of the packet data with the file being transferred; reassembling the identified portions of the packet data to create a recomposed file; storing the recomposed file in an electronic data storage device; analyzing the packet data associated with the file to extract a network communication session parameter associated with the file; storing in the electronic data storage device, the extracted session parameter; storing in the electronic data storage device, information identifying the recomposed file; generating a logical link between the information identifying the recomposed file and the extracted session parameter based on the association between the identified portion of the packet data and the file being transferred; prompting a user to enter a parameter descriptive of a target network communication session; receiving the parameter descriptive of the target network communication session; executing a query in the electronic data storage device to identify a file associated with the received parameter descriptive of the target network communication session based on the logical link between the information identifying the recomposed file and the extracted session parameter; returning an identification of the file associated with the received parameter descriptive of the target network communication session; prompting a user to enter a parameter descriptive of a target file transferred over the network; receiving the parameter descriptive of the target file transferred over the network; executing a query in the electronic data storage device to identify a network communication session associated with the received parameter descriptive of the target file transferred over the network based on the logical link between the information identifying the recomposed file and the extracted session parameter; returning an identification of the network communication session associated with the received parameter descriptive of the target file transferred over the network; and calculating a threat score based on a weighted analysis of the recomposed file, wherein the weighting is based on one or more of reliability, false positive rate, and false negative rate of the analysis; and wherein the calculated threat score is associated with the recomposed file and the session parameter.
2. The method of claim 1 , further comprising electronically inspecting the recomposed file to determine whether the file poses a risk based on static analysis, dynamic analysis, or anti-virus scanning.
3. The method of claim 1 , further comprising: inspecting the recomposed file to determine its file-type; and preparing the recomposed file for a signature-based threat scan based on the determined file-type.
4. The method of claim 3 , wherein the signature is selected from a signature, regular expression match, indicator of compromise, or an intrusion detection system signature.
5. The method of claim 1 , further comprising: computing a message digest of the recomposed file; monitoring the packet data at a receiver module to determine if a second copy of the recomposed file is received; logging session information associated with the second copy of the recomposed file without storing the second copy of the recomposed file.
6. The method of claim 1 , further comprising calculating a weighted threat score based on the extracted network communication session parameter, file reputation information received from a reputation service, and the file.
7. The method of claim 1 , wherein the file is an executable program, a document, or an electronic mail message.
8. The method of claim 1 , further comprising performing a second threat scan of the file based on information about the file or the network communication session parameter associated with the file.
9. The method of claim 1 , wherein a determination is made to perform a second scan of the file based on receipt of new threat signature data.
10. The method of claim 1 , wherein a determination is made to perform a second scan of the file based on the receipt of revised threat signature data.
11. The method of claim 1 , wherein a determination is made to perform a second scan of the file based on a user request.
12. The method of claim 1 , wherein a second scan of the file is performed at a relatively lower processor priority than the first scan.
13. The method of claim 1 , wherein a second scan of the file is not performed if the first scan of the file is less than a user-specified amount of time in the past.
14. The method of claim 1 , wherein a determination is made to perform a second scan of the file based on a MIME-type or file-type associated with the file.
15. The method of claim 1 , further comprising post-processing the packet data to determine protocol type for the packet data, whether the packet data is part of an HTTP or SMTP session, and extract session and, if present, file data.
16. The method of claim 1 , wherein the packet data represents an electronic mail message and wherein the method further comprises electronically storing only a header, a link, or a metadata field from the electronic mail message.
17. The method of claim 1 , wherein the network communication session parameter is selected from Internet protocol addresses, hashes of files, uniform resource locators, links in electronic messages, header information or any SMTP or HTTP parameters.
18. The method of claim 1 , further comprising scanning the file locally to perform deep-file inspection.
19. The method of claim 1 , wherein a threat score is weighted based on data selected from yara hits, cloud-based malware scale, static analysis, entropy calculation or other threat feeds.
20. The method of claim 1 , wherein the receiver module is positioned inline between a source address and a destination address, and further comprising issuing a command to reset a connection between the source address and the destination address if a threat score associated with a file or session is higher than a predetermined threshold.
21. The method of claim 1 , wherein the packet data is acquired from a file store source.
22. The method of claim 1 , wherein the packet data includes layer seven information.
23. The method of claim 1 , wherein the file is acquired through the user interface via manual upload by the user.
24. The method of claim 1 , wherein the packet capture is acquired through the user interface via manual upload by the user.
25. The method of claim 1 , further comprising signature-based threat analysis.
26. The method of claim 1 , wherein the analysis is based on Internet protocol addresses.
27. The method of claim 1 , wherein the analysis is based on file attributes.
28. The method of claim 1 , further comprising storing hash information about the reconstructed file.
Unknown
April 12, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.